Cloudflare and Nginx reverse proxy background.

This isn't nearly a complete guide, just some background that @EddieJennings was doing some research/learning on.

So, I've only found one way that would get a Letsencrypt cert working with an Nginx reverse proxy for the transport back end to Cloudflare. The free Cloudflare DDOS mitigation service will normally handle all TLS traffic on their front end, and very well from the limited testing I've done (places like ssllabs.com)

So, certbot-2 is the current version of the certbot client in the Fedora repositories. Comes in python2-certbot. They also have a python3-certbot, but that's only needed if you've switched to python3, and I don't see a reason to do such on a reverse proxy.

certonly because certbot just doesn't deal with reverse proxy configs properly yet. It's great if you're only running a single web server off a single box, but tends to mess up configs for you in more complex configurations.

--dns-cloudflare is a plugin. Also available in the default repositories now as python2-certbot-dns-cloudflare.noarch. Handles the Cloudflare authorization, which used to be more difficult than with this plugin. I didn't find any documentation on this plugin when Googling on how to do this, I blame bad Googlefu.

--renew-by-default Tell Certbot that we want to renew the certificate(s). Honestly, I forget why I put this in here with the initial cert request.

Finally, every single domain and/or subdomain you want the certificate to be valid for needs to be listed with -d domain.com. So subdomains are -d subdomain.domain.com. I currently have 17 subdomains and the main domain that all get certs this way.

That doesn't mean they all work at any given time, it is my home lab box that I purposely break **** on.

The certifications themselves go in /etc/letsencrypt/live/domain.com/. I created a couple of symlinks in /etc/ssl/ that point back to the letsencrypt files. At the time, it was much easier to remember the full path and filename to /etc/ssl/domain.com.key and /etc/ssl/domain.com.crt than the full path and filenames that certbot used.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

You can run a self signed cert on your local server and still be 100% encrypted with CloudFlare.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

I still use a reverse proxy but I'm using self-signed certs. I just have to make sure to select Full SSL instead of Full SSL (strict). To many cool things I can do using reverse proxy like upstream.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

As @JaredBusch said, you can run self-signed certs with CloudFlare just fine. This was for my home lab, so I purposely do things the hard way sometimes, just to see what it's like. That's why I originally tackled this anyway. Running a reverse proxy mostly so I don't have to pay for nearly 30 IP addresses on the box I rent for it.